Cross-site POST form submissions are forbidden in SvelteKit

No Comments
Published: 21.04.2024

Do you get a cross-site POST form submissions are forbidden error in your SvelteKit application? In this super quick guide, I will show you exactly how to solve it. First, we will look at how the error occurs, and then we will look at how to solve it. You can also jump directly into the solution if you want to.

How does the error Cross-site POST form submissions are forbidden occur in SvelteKit

The error occurs when you try to submit a post form from a different URL than configured inside your application. This is part of the built-in protection against Cross-Site Request Forgery (CSRF) attacks, which is a good thing. CSRF attacks are real; for more information on them, check the link here.
Important: Therefore, you should not set csrf.checkOrigin to false inside the SvelteKit application for your production apps.

How to solve the error in SvelteKit

The solution to this problem is pretty straightforward. You have to correctly configure the origin of your SvelteKit application. To do so, you can set the environment variable ORIGIN directly before starting your node application:

ORIGIN=http://localhost:3000 node build/index.js

Inside of docker, you can also specify the environment variable for your container, for example, by first adding it to your Dockerfile:


and then set it inside of your docker-compose.yml like this:


After you do this, the error should not occur anymore.

Need help or want to share feedback? Join my discord community!


In this quick guide, you learned how to solve the Cross-site POST form submissions are forbidden error inside of SvelteKit. You also learned why the error occurs and what you should not do to solve it. I hope this guide was helpful to you. If you have any questions, feel free to ask!



If this guide is helpful to you and you like what I do, please support me with a coffee!


Discussion (0)

Add Comment

Your email address will not be published. Required fields are marked *